Crypto Copilot Chrome Extension Scam Steal Solana via Hidden Code

Crypto Copilot Chrome Extension Scam Steals Solana in Swap Transfers

A secretly installed Chrome extension named Crypto Copilot, which is a type of fraud extension, has been found stealing users' small amounts of SOL by embedding additional transfer instructions into regular swaps. The discovery highlights the growing vulnerability of browser-based cryptocurrency tools and the subtle nature of modern cyber scams.

Crypto Copilot Chrome extension Scam: What Is Happening?

Cybersecurity firm Socket has revealed that a Chrome extension named Crypto Copilot has been secretly stealing Solana during routine on-chain swaps. 

The extensions is promoted as a convenience feature allowing one to trade on Solana without leaving X (previously Twitter), which deceives the user into thinking it is useful but injects malware into the system.

Although it currently shows only 15 installations, it has remained active since its launch on June 18, 2024, without triggering widespread suspicion.

Source: Cointelegraph

Why Is It Dangerous?

Unlike traditional crypto malware designed to drain entire wallets, Crypto Copilot uses a more subtle method:

• It steals tiny fractions of SOL per swap.

• Users unwillingly accept transactions that have a hidden transfer.

• The fact that each theft is small increases the chances of it going undetected, particularly among active traders who might not notice the presence of a fractional discrepancy.

• This type of stealth method enables the attacker to earn money gradually without the victims detecting him or her.

How the Scam Works?

• The extension relies on the Raydium decentralized exchange to make a real swap. 

• After preparing the legitimate transaction, Crypto Copilot automatically appends a second instruction with the System Program of Solana. 

• This direction fills the wallet of the attacker with 0.0013 SOL or 0.05% of the value of the trade.

• Both instructions are atomic in nature, i.e., they happen together. 

• As the transaction still has validity on-chain, wallets process it as a regular swap.

Why Users Can’t Detect It Easily — And Is It Still Active?

Phantom and Solflare wallets are usually summary displays of swap information, not a detailed breakdown of instructions. This design flaw allows the malicious transfer to stay hidden within the transaction approval screen.

Despite being reported to Google on November 25, the extension is still live on the Chrome Web Store, leaving users who install it at immediate risk.

Who Discovered the Scam?

The security team at Socket conducted the investigation and publicly documented how the extension manipulates swap instructions. Their report urges Google to remove the extension and warns the public about similar threats targeting Solana users.

Why This Matters?

This example also represents a wider trend in crypto-related attacks; the aggressive wallet drainage has been replaced by the precision-based micro-thefts. These kinds of schemes take advantage of user trust, interface constraints, and the speed of decentralized trading. With the increasing crypto activity in browsers and social networks, the threat of extensions-based attacks is growing.

This Scam in a Wider Pattern

Cryptocurrency Copilot belongs to a list of malicious Chrome extensions that are targeted at crypto users and are increasing. In the recent past, there have been phishing extensions that drain Solana wallets and browser cookie hijacking Binance accounts through the use of a plugin. These are recurring threats that highlight the importance of enhanced vetting and enhanced user awareness.

Conclusion

The scam is an eye-opener on how the bad stuff can creep into regular cryptocurrency operations so easily. Yesterday,  an Upbit Solana hack drained around $30 million worth of SOL tokens. One must use trusted tools and exchanges and always check every transaction and ensure that the wallet is kept secure.